Conficker: The Tech Herald’s index of news and information

Apr 8 2009, 23:55 by
by Steve Ragan -

Over the last few months the Conficker Worm has gained infamy in the press and security circles. The Worm is still spreading, but so are rumors, fear, and misinformation. This article is a collection of the latest information, removal tools, and mitigation tips. It will also serve, going forward, as the single article we will use to keep you informed about the latest Conficker developments.

The news related to the Conficker Worm has flooded the Internet with fear, uncertainty, and doubt. However, before you can start to panic, it helps to understand the difference between fact and fiction when it comes to Conficker itself. Depending on the type of information you are looking for, the index below will point you in the right direction.

Another Conficker variant discovered – new version still fighting removal

"We found a new variant yesterday, which is very similar to the old one. It blocks more domains and more disinfection tools. As you know, Conficker was already blocking access to security websites and removal tools. Now its list is bigger. It is a minor upgrade to the C version, designed to make disinfection even harder, or to counter the disinfections methods that have appeared," Vlad Valceanu, BitDefender's Senior Security Researcher told The Tech Herald.

The U.S. Department of Homeland Security (DHS) announced the release of a DHS-developed detection tool that can be used by the federal government, commercial vendors, state and local governments, as well as infrastructure owners and operators to scan their networks for the Conficker Worm.

The tool, developed by the United States Computer Emergency Readiness Team (US-CERT), has been made available to federal and state partners via the Government Forum of Incident Response and Security Teams (GFIRST) Portal, and to private sector partners through the IT and Communications sector Information Sharing and Analysis Centers (ISACs).

"While tools have existed for individual users, this is the only free tool – and the most comprehensive one – available for enterprises like federal and state government and private sector networks to determine the extent to which their systems are infected by this worm," said US-CERT Director Mischel Kwon. "Our experts at US-CERT are working around the clock to increase our capabilities to address the cyber risk to our nation's critical networks and systems, both from this threat and all others."

Researchers release more Conficker tools and detection methods

Researchers with the HoneyNet Project have developed a method to discover Conficker infections by using network scanning. The HoneyNet Project’s Tillmann Werner and Felix Leder are expected to release a paper detailing their work for the past five months, but the tools detailed in the paper are available now. For more information go here.

There are three variants of Conficker. The one that has infected the most systems is variant B. However, variant C has gained the most press coverage due to its restructured code. Variant A is the original Worm, since its release in 2008 there have been several modifications to the code, so much so, that in its present form the original version is weak in comparison.

The Conficker Worm will infect your system or network using one of three methods, or a combination of all of them.

The first is a failure to patch your Windows system with MS08-067. However, while this is the major infection point, this is only one of the known methods. The Worm actually patches your system against the vulnerability addressed last October when Microsoft released MS08-067. How’s that for sick?

The second method of infection is removable storage. Conficker will attempt to spread itself on removable media, such as USB drives. In the case of USB media, if Autoplay (AutoRun) is enabled then the Worm triggers it by creating an Autorun.inf file.

The third known infection method deals with networked computers and mapped drives. By using a dictionary attack to guess the ADMIN$ share passwords on an infected network, the Worm can move about if the passwords are weak. Because of this, any mapped network drive where the system allows ADMIN$ access to remote users is a potential victim. If the remote system on the network also has attached USB storage, there is twice the chance for infection. [See Microsoft’s note on ADMIN$ shares here. A list of passwords is here.]

BitDefender told The Tech Herald the Worm uses some APIs to avoid emulation. They pertain to math functions from an available library found in Windows. These math-related API functions are rarely used in day-to-day programs. One example of a math function being exploited was a function related to trigonometry.

Conficker will use various sources to gain access to the system IP, such as connecting to http://checkip.dyndns.org. Once the IP address is determined, the Worm will then attempt to infect other computers on the subnet by creating a small HTTP server, thus allowing it to serve the Malware to other systems without the need to rely on a central location.

Using NetServerEnum, Conficker will use a rather impressive list of common passwords in an attempt to gain legitimate remote access to systems on the same network, simply following the train of mapped drives and local IPs.

If the active user account on the infected system does not have administrator rights on the remote system, the Worm will use NetUserEnum to acquire a list of usernames that are granted access and the same password list will go to work in an attempt to login.

Completely self contained, the Worm will use Google, Yahoo, Ask, and other search engines to check the date. Once the date has been obtained, a list of domains is then generated and used to either download more Malware or update the Worm itself.

There is a whole list of terms such as CERT, SANS, Microsoft, AVG, Bit9, Windows Update and others, which if discovered in a loaded process or Internet domain, the Worm will deny user access to. This happens because Conficker will hook into the DNS of the infected system, blocking lookups related to the strings.

Essentially, if the application or term is related to Malware removal, security, or patching in any shape or form, you will have no access to the resource. Symantec discovered that variant C takes this further by killing processes related to security tools that are active on the system, including attempts to kill security software such as anti-Virus.

Researchers at SRI discovered that variant B (also called B++) is capable of Peer-to-Peer updates, bypassing the need to use the Internet to receive instructions.

Other related information:

USA Today reporter Byron Acohido has worked to establish a timeline for Conficker.You can view that information here.

Fortinet has written an article for those who want to research Conficker for themselves. The article gives a quick lesson in how to reverse engineer Conficker. A great read for researchers.

However, while professionals know the risks and understand them, hobbyists should use caution and follow proper testing methods before working on the Malware. The Fortinet article is here.

F-Secure offers a great FAQ related to the April 1 hype as well as a related resource for technical details on the Conficker Worm. The FAQ is here and the tech article is here.

SRI published their research on variant C of the Conficker Worm, this report can be read here. SRI’s previous research on Conficker and the subsequent report is here.

Considering the methods of infection, there are a few tricks you can perform to prevent becoming one of the millions of users who have a system completely owned by the Conficker Worm.

The first is to protect your system with the official Microsoft patch before you fall to infection. Most of the trouble you are reading about in the media focuses on business networks.

Home-based users can run Windows Update and apply all patches that are missing. In the future, because this will not be the last we're likely to see of these types of Worms, make sure that Windows Update is set to automatically download and install whenever updates are issued.

Next, you need to disable AutoRun. There are two separate sets of steps to take depending on which operating system you're using.

Windows XP, 2000, 2003:

Click START then RUN

Type GPEDIT.MSC into the OPEN box and click OK

Under Computer Configuration, click Administrative Templates, and then System

Right click on Turn off Autoplay (Disable Autoplay on Win 2000) and select Properties

Click Enabled, and then in the dropdown select All Drives. Click OK and close the GP Editor

Reboot

Windows Vista:

Click START, type GPEDIT.MSC in the search box and hit enter

Note: You might need to enter your administrator password at this point

Under Computer Configuration, expand both Administrative Templates and Windows Components, and then click Autoplay Policies

Double click Turn off Autoplay

Reboot

Note: For anyone who has issues disabling AutoRun, you may need an update released by Microsoft that addresses issues where AutoRun still functions even after it is disabled. You can get more information on this update by viewing KB967715 here.

The Knowledge Base article, KB967715, will supersede the original article KB953252. Moreover, if you tried and subsequently failed to disable AutoRun before February 24, Microsoft has pushed this update via Windows Update and Microsoft Update to customers.

After you apply the update, if there are still issues disabling AutoRun, visit the new KB Article for more information and workarounds. The update applies to Microsoft Windows 2000, Windows XP (SP2 and SP3), and Windows 2003 (SP1 and SP2).

Finally, the largest prevention method from the Conficker infection is a solid and strong password. Using a password that's easy to guess, located in a dictionary of any language, or less than eight characters is not recommended.

Adding to the steps above, business users have some other layers of defense at their disposal. Under Server Service Vulnerability on the MS08-076 Security Bulletin, read up on the workarounds Microsoft has provided.

There is also a granular level of control for AutoRun, which is explained here.

Extra tips:

Do you have problems disabling AutoRun because System is missing? The video below will explain what to do.

If you are using Vista Home or Home Premium, you will not have access to GPEDIT. This is because only domain-based versions of Vista have the ability to use group policy tools.

When it comes to removal, security vendors have you covered. Most offer tools to check and remove Conficker infections.

Still, the best removal tool is a properly updated anti-Virus application and consistent scanning. You will be hard pressed to find a vendor who cannot protect you from Conficker. Even the free anti-Virus scanners will catch the Worm and remove it.

Below are some of the vendors and tools available to you.

Conficker Working Group: The group has created an at-a-glance tool to determine if you are infected by Conficker. The tool, called Eye Chart, is available online here. If you see all the images, you are clean.

PandaLabs: They have a USB vaccine for Malware that spreads using USB drives. This will include Conficker. You can get it here.

BitDefender: They offer a tool for Conficker removal. There are two options, one is for a single PC, and the other is for network removal. You can get either tool here. In addition, you can scan your system before you download, just to check for infection.

Microsoft’s Malicious Software Removal Tool (MSRT): This too will clean Conficker infections. However, because Conficker will block access to this download if you are infected, you have two options.

The first option is to use a proxy. If that option is unavailable, then use the following URL to download the tool itself.

ESET: ESET has released a Conficker removal tool which can be dowloaded here.

Kaspersky: Kaspersky has released Kaspersky KKiller, download it here.

Researchers with the HoneyNet Project have released the entire set of tools and applications used in their Conficker research. The list is here.

If you use any of the tools here, you must make sure you use Windows Update to apply the proper patches. The most important is MS08-067.

There are more tools online. However, only those from known and trusted vendors should be used. Criminals are taking advantage of the Conficker fear and offering malicious tools that offer removal, but in reality do nothing of the sort.

Once The Tech Herald tests and validates new removal tools, we will add to this list.

Like this article? Please share on Facebook and give The Tech Herald a Like too!